Use the search tokens below to search for resources discovered. You'll need to first choose cloud provider on the Resources tab to see the relevant tokens for your environment. Looking for help with writing your query? click here
Example
Show findings with this account ID
account.id: 205767712438
Example
Show connectors with this account alias
account.alias: Example_connector
Example
Show connectors with this subscription name
subscriptionName: Sample Cloud Subscription
Examples
Show resources created within certain dates
created: [2018-01-01 ... 2018-03-01]
Show resources created starting 2018-10-01, ending 1 month ago
created: [2018-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
created: [now-2w ... now-1s]
Show resources created on specific date
created: 2018-01-08
Examples
Show resources updated within certain dates
updated: [2018-01-01 ... 2018-03-01]
Show resources updated starting 2018-10-01, ending 1 month ago
updated: [2018-01-01 ... now-1m]
Show resources updated starting 2 weeks ago, ending 1 second ago
updated: [now-2w ... now-1s]
Show resources updated on specific date
updated: 2018-01-08
Examples
Show any findings with this name
name: my-resource
Example
Find resources synced from Amazon AWS
provider: aws
Example
Find resources in the Singapore region
region: Singapore
Example
Show resources with ID acl-8e5198f5
resource.id: acl-8e5198f5
Example
Show resources of type Instance
resource.type: Instance
Example
Show findings with key Department
tag.key: Department
Example
Show findings with tag value Finance
tag.value: Finance
Example
Show findings with account ID 205767712438 and type Subnet
account.id: 205767712438 and resource.type: Subnet
Example
Show findings that are not resource type Instance
not resource.type: Instance
Example
Show findings with one of these tag values
tag.value: Finance or tag.value: Accounting
Example
Show resources with this projectId
projectId: my-project-1513669048551
These tokens are available in queries with resource.type:Auto Scaling Group
Example
Find auto scaling groups in the us-east-1a availability zone
autoscaling.availabilityZone: us-east-1a
Examples
Show groups discovered within certain dates
autoscaling.createdTime: [2018-01-01 ... 2018-03-01]
Show groups updated starting 2018-10-01, ending 1 month ago
autoscaling.createdTime: [2018-01-01 ... now-1m]
Show groups updated starting 2 weeks ago, ending 1 second ago
autoscaling.createdTime: [now-2w ... now-1s]
Show groups discovered on specific date
autoscaling.createdTime: 2018-01-08
Example
Show groups with health check type ec2
autoscaling.healthCheckType: ec2
Example
Show findings with this instance ID
autoscaling.instanceId: i-1234567890abcdef0
Example
Show findings with this launch configuration name
autoscaling.launchConfigurationName: LaunchConfig-BF31WBIYCM64
Example
Show findings with this load balancer name
autoscaling.loadBalancerName: AppServer ELB
These tokens are available in queries with resource.type:IAM User
Examples
Show findings with access key1 active
iamuser.accessKey1Active: true
Show findings with access key1 not active
iamuser.accessKey1Active: false
Examples
Show last rotated within certain dates
iamuser.accessKey1LastRotated: [2018-01-01 ... 2018-03-01]
Show last rotated starting 2018-10-01, ending 1 month ago
iamuser.accessKey1LastRotated: [2018-01-01 ... now-1m]
Show last rotated starting 2 weeks ago, ending 1 second ago
iamuser.accessKey1LastRotated: [now-2w ... now-1s]
Show last rotated on specific date
iamuser.accessKey1LastRotated: 2018-01-08
Examples
Show last used within certain dates
iamuser.accessKey1LastUsed: [2018-01-01 ... 2018-03-01]
Show last used starting 2018-10-01, ending 1 month ago
iamuser.accessKey1LastUsed: [2018-01-01 ... now-1m]
Show last used starting 2 weeks ago, ending 1 second ago
iamuser.accessKey1LastUsed: [now-2w ... now-1s]
Show last used on specific date
iamuser.accessKey1LastUsed: 2018-01-08
Examples
Show findings with access key2 active
iamuser.accessKey2Active: true
Show finings with access key2 not active
iamuser.accessKey2Active: false
Examples
Show last rotated within certain dates
iamuser.accessKey2lastRotated: [2018-01-01 ... 2018-03-01]
Show last rotated starting 2018-10-01, ending 1 month ago
iamuser.accessKey2lastRotated: [2018-01-01 ... now-1m]
Show last rotated starting 2 weeks ago, ending 1 second ago
iamuser.accessKey2lastRotated: [now-2w ... now-1s]
Show last rotated on specific date
iamuser.accessKey2lastRotated: 2018-01-08
Examples
Show last used within certain dates
iamuser.accessKey2LastUsed: [2018-01-01 ... 2018-03-01]
Show last used starting 2018-01-012, ending 1 month ago
iamuser.accessKey2LastUsed: [2018-01-01 ... now-1m]
Show last used starting 2 weeks ago, ending 1 second ago
iamuser.accessKey2LastUsed: [now-2w ... now-1s]
Show last used on specific date
iamuser.accessKey2LastUsed: 2018-01-08
Example
Show findings with this ARN
iamuser.arn: arn:aws:iam::383031258652:user/LOCAL_1234
Examples
Show findings with multi factor authentication enabled
iamuser.mfaActive: true
Show finings without multi factor authentication enabled
iamuser.mfaActive: false
Examples
Show findings with password enabled
iamuser.passwordEnabled: true
Show finings without password enabled
iamuser.passwordEnabled: false
Examples
Show passwords last updated within certain dates
iamuser.passwordLastChanged: [
2018-01-01 ... 2018-03-01
]
Show passwords last updated starting 2018-01-01, ending 1 month ago
iamuser.passwordLastChanged: [
2018-01-01 ... now-1m
]
Show passwords last updated starting 2 weeks ago, ending 1 second ago
iamuser.passwordLastChanged: [now-2w ... now-1s]
Show passwords last updated on specific date
iamuser.passwordLastChanged: 2018-01-08
Examples
Show passwords last used within certain dates
iamuser.passwordLastUsed: [
2018-01-01 ... 2018-03-01
]
Show passwords last used starting 2018-01-01, ending 1 month ago
iamuser.passwordLastUsed: [
2018-01-01 ... now-1m
]
Show passwords last used starting 2 weeks ago, ending 1 second ago
iamuser.passwordLastUsed: [now-2w ... now-1s]
Show passwords last used on specific date
iamuser.passwordLastUsed: 2018-01-08
Examples
Show next rotation within certain dates
iamuser.passwordNextRotation: [
2018-01-01 ... 2018-03-01
]
Show next rotation starting 2018-01-01, ending 1 month ago
iamuser.passwordNextRotation: [
2018-01-01 ... now-1m
]
Show next rotation starting 2 weeks ago, ending 1 second ago
iamuser.passwordNextRotation: [now-2w ... now-1s]
Show next rotation on specific date
iamuser.passwordNextRotation: 2018-01-08
Examples
Show users created within certain dates
iamuser.userCreationTime: [2018-01-01 ... 2018-03-01]
Show users created from starting 2018-01-01, ending 1 month ago
iamuser.userCreationTime: [
2018-01-01 ... now-1m
]
Show users created starting 2 weeks ago, ending 1 second ago
iamuser.userCreationTime: [now-2w ... now-1s]
Show users created on specific date
iamuser.userCreationTime: 2018-01-08
Examples
Show any findings with this ID
iamuser.userId: ABCDEFGHIJ1K2
Show any findings that contain parts of ID
iamuser.userId: "ABCDEFGHIJ1K2"
Examples
Show any findings with this name
iamuser.username: Jane
Examples
Show any findings with this path
iamuser.path: /
Show any findings that contain parts of path
iamuser.path: "/"
These tokens are available in queries with resource.type:Instance
Example
Show findings in the us-east-1a availability zone
instance.availabilityZone: us-east-1a
Example
Show findings with this image ID
instance.imageId: ami-2ea83347
Example
Show instances with docker installed on the host
instance.isDockerHost:true
Show instances without docker installed on the host
instance.isDockerHost:false
Example
Show instances with Container Security Sensor installed on the host
instance.hasSensor:true
Show instances without Container Security Sensor installed on the host
instance.hasSensor:false
Example
Show instances with specified docker version
instance.docker.version:8.2
Example
Show findings with this address ID
instance.networkInterface.addressId: id-12345
Examples
Show any findings with this description
instance.networkInterface.description: My Description
Show any findings that contain parts of description
instance.networkInterface.description: "My Description"
Example
Show findings with this group ID
instance.networkInterface.groupId: sg-1a2b3c4d
Example
Show findings with this group name
instance.networkInterface.groupName: My Group
Example
Show findings with this IPv6 address
instance.networkInterface.ipv6Ip: 2010:ab2::1234:zzz:2002:1f
Example
Show findings with this private DNS name
instance.networkInterface.privateDnsName: ip-172-31-33-67.us-east-2.compute.internal
Example
Show findings with this private IP
instance.networkInterface.privateIpAddress: 172.31.28.151
Example
Show findings with this public IP address
instance.networkInterface.publicIp: 13.126.125.189
Example
Show findings with this secondary private IP
instance.networkInterface.secondaryPrivateIp: 10.0.0.85
Example
Show findings on this subnet ID
instance.networkInterface.subnetId: subnet-6f2cec07
Example
Show findings with this private DNS address
instance.networkInterface.privateDnsName: ip-10-90-2-85.ec2.internal
Example
Show findings with this private IP address
instance.networkInterface.privateIpAddress: 10.90.0.119
Example
Show findings with this private DNS name
instance.privateDnsName: ip-10-90-2-85.ec2.internal
Example
Show findings with this private IP address
instance.privateIpAddress: 10.90.0.119
Example
Show findings with this public DNS address
instance.publicDnsName: ec2-52-70-141-154.compute-1.amazonaws.com
Example
Show findings with this public IP address
instance.publicIpAddress: 52.70.141.154
Example
Show findings with this secondary private IP
instance.secondaryPrivateIpAddress: 10.90.0.119
Example
Show EC2 instances with this security group ID
instance.securityGroup.id: sg-4798a22f
Example
Show findings with this security group name
instance.securityGroup.name: Windows RDP Allow Group
Example
Show findings with this Spot Instance request ID
instance.spotInstanceRequestId: sir-08b93456
Example
Show running EC2 instances
instance.state: running
Example
Show EC2 instances with impaired status
instance.status: impaired
Example
Show findings on this subnet ID
instance.subnetId: subnet-bc02c0d4
Example
Show findings with this instance type
instance.type: t2.micro
Example
Show findings with this VPC ID
instance.vpcId: vpc-1e37cd76
Example
Show all EC2 instances having ANY instance profile
instance.profileName: (*..*)
Example
Show all EC2 instances having profile arn
instance.profileArn: abc12345arnsample
Show all EC2 instances that exactly match the specified profile arn
instance.profileArn: `abc12345arnsample`
Example
Show all instances NOT associated with any roles in the profile
instanceProfile.role.name is null
Example
Show all instances associated with any arn
instanceProfile.role.arn: (*..*)
Show all instances that exactly match the arn
instanceProfile.role.arn: `1
de1e0a7-4f67-4812-917d-1236853844e1`
Example
Show resources associated with the connector for which remediation is enabled
connector.remediationEnabled: TRUE
Note: This search token is available only if you enable Remediation feature (currently in preview mode). To enable Remediation feature for your subscription, contact your Technical Account Manager at Qualys.
Example
Show resources with success status for remediation action
action.status: Success
Note: This search token is available only if you enable Remediation feature (currently in preview mode). To enable Remediation feature for your subscription, contact your Technical Account Manager at Qualys.
Example
Show findings with a cloud agent
instance.hasAgent:true
Show findings without a cloud agent
instance.hasAgent:false
Example
Show findings with QID 90405
vulnerability.qid:90405
Example
Show findings with severity 4
vulnerability.severity:4
Example
Show findings with QID 90405
vulnerability.customerSeverity:3
Examples
Show any findings related to this description
vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
vulnerability.exploitability: `GIF Parser Heap`
Examples
Show findings with patch available
vulnerability.patchAvailable: "true"
Show findings with no patch available
vulnerability.patchAvailable: "false"
Examples
Show findings first found within certain dates
vulnerability.firstFound: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
vulnerability.firstFound: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
vulnerability.firstFound: [now-2w ... now-1s]
Show findings first found on certain date
vulnerability.firstFound:'2015-11-11'
Examples
Show findings last found within certain dates
vulnerability.lastFound: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
vulnerability.lastFound: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
vulnerability.lastFound: [now-2w ... now-1s]
Show findings last found on certain date
vulnerability.lastFound:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound: '2017-01-12' AND vulnerability.patchAvailable: "true")
Examples
Show any findings related to this title
vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
vulnerability.title: "Remote Code"
Show any findings that match exact value
vulnerability.title: `Remote Code`
Examples
Show any findings related to description
vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
vulnerability.description: "remote code execution"
Show any findings that match exact value
vulnerability.description: `remote code execution`
Example
Show findings with CVE name CVE-2015-0313
vulnerability.cveIds: CVE-2015-0313
Example
Show findings with the category CGI
vulnerability.category: "CGI"
Example
Show assets with this score
vulnerability.cvss3Info.baseScore: 7.8
Example
Show assets with this score
vulnerability.cvss3Info.temporalScore: 6.4
Example
Show findings with this name
vulnerability.cvssInfo.accessVector: "NETWORK"
Example
Show vulnerability with port 80
vulnerability.port: 80
Examples
Show findings found on TCP
vulnerability.protocol: TCP
Show findings found on port 80 and TCP
vulnerability: (port: 80 AND protocol: TCP)
Examples
Show any findings with this OS name
vulnerability.hostOS:Windows 2012
Show any findings that contain components of OS name
vulnerability.hostOS:"Windows 2012"
Show any findings that match exact value "Windows 2012"
vulnerability.hostOS:`Windows 2012`
Example
Show findings with this type
vulnerability.typeDetected:Confirmed
Examples
Show PCI vulnerabilities
vulnerability.PCI:TRUE
Do not show PCI vulnerabilities
vulnerability.PCI:FALSE
Example
Show findings with Windows auth type
vulnerability.authTypes:WINDOWS_AUTH
Example
Show findings with BugTraq ID 22211
vulnerability.bugTraqIds:22211
Examples
Show any findings related to this description
vulnerability.compliance.description:malicious software
Show any findings that contain "malicious" or "software" in description
vulnerability.compliance.description:"malicious software"
Show any findings that match exact value "malicious software"
vulnerability.compliance.description:`malicious software`
Examples
Show any findings related to this section
vulnerability.compliance.section:164.308
Show any findings that contain parts of section
vulnerability.compliance.section:"164.308"
Show any findings that match exact value "164.308"
vulnerability.compliance.section:`164.308`
Example
Show findings with the compliance type HIPAA
vulnerability.compliance.type:HIPAA
Examples
Show any findings related to consequence
vulnerability.consequence:sensitive information
Show any findings that contain "sensitive" or "information" in consequence
vulnerability.consequence:"sensitive information"
Show any findings that match exact value "sensitive information"
vulnerability.consequence:`sensitive information`
Example
Show findings with this flag
vulnerability.flags:PCI_RELATED
Example
Show findings with vulnerabilities in SANS Top 20
vulnerability.lists:SANS_20
Example
Show assets with this patch QID
vulnerability.patches:90753
Examples
Show findings for vulnerabilities published within certain dates
vulnerability.published:[2015-10-21 ... 2016-01-15]
Show findings for vulnerabilities published starting 2017-01-01, ending 1 month ago
vulnerability.published:[2017-01-01 ... now-1M]
Show findings for vulnerabilities published starting 2 weeks ago, ending 1 second ago
vulnerability.published:[now-2w ... now-1s]
Show findings for vulnerabilities published on certain date
vulnerability.published:'2018-01-15'
Example
Show findings with risk 50
vulnerability.risk:50
Examples
Show any findings related to this OS value
vulnerability.os:windows
Show any findings that contain parts of OS value
vulnerability.os:"windows"
Show any findings that match exact value "windows"
vulnerability.os:`windows`
Example
Show instances with this score
vulnerability.cvssInfo.baseScore:7.8
Example
Show instances with this score
vulnerability.cvssInfo.temporalScore:6.4
Example
Show findings with Remote discovery type
vulnerability.discoveryTypes:REMOTE
Example
Show findings with this category name
vulnerability.sans20Categories:Media Players
Examples
Show any findings related to this solution
vulnerability.solution:Bulletin MS10-006
Show any findings that contain parts of solution
vulnerability.solution:"Bulletin MS10-006"
Show any findings that match exact value "Bulletin MS10-006"
vulnerability.solution:`Bulletin MS10-006`
Example
Show vulnerabilities with ACTIVE status
vulnerability.status:ACTIVE
Example
Show vulnerabilities supported by Linux Agent
vulnerability.supportedBy:LINUX_AGENT
Example
Show this vendor reference
vulnerability.vendorRefs:KB3021953
Example
Show findings with this vendor product name
vulnerability.vendors.productName:Windows
Example
Show findings with this vendor name
vulnerability.vendors.vendorName:Adobe
(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).
Example
Show resources with threats due to active attacks
vulnerability.threatIntel.activeAttacks: "true"
Example
Show resources with threats due to denial of service
vulnerability.threatIntel.denialOfService: "true"
Example
Show resources with threats due to easy exploit
vulnerability.threatIntel.easyExploit: "true"
Example
Show resources with threats due to exploit kit
vulnerability.threatIntel.exploitKit: "true"
Examples
Show any findings with this name
vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match exact value
vulnerability.threatIntel.exploitKitName: `Angler`
Example
Show resources with threats due to high data loss
vulnerability.threatIntel.highDataLoss: "true"
Example
Show resources with threats due to high lateral movement
vulnerability.threatIntel.highLateralMovement: "true"
Example
Show resources with threats due to malware
vulnerability.threatIntel.malware: "true"
Examples
Show any findings with this name
vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
Example
Show resources with threats due to no patch available
vulnerability.threatIntel.noPatch: "true"
Example
Show resources with threats due to public exploit
vulnerability.threatIntel.publicExploit: "true"
Examples
Show any findings with this name
vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
Example
Show resources with threats due to zero day exploit
vulnerability.threatIntel.zeroDay: "true"
These tokens are available in queries with resource.type:Internet Gateway
Example
Show findings with this state
internetgateway.state: available
Example
Show findings with this VPC ID
internetgateway.vpcId: vpc-1e37cd76
These tokens are available in queries with resource.type:Load Balancer
Example
Find resources in the us-east-1a availability zone
elb.availabilityZone: us-east-1a
Examples
Show resources created within certain dates
elb.createdTime: [2018-01-01 ... 2018-03-01]
Show resources created from starting 2018-01-01, ending 1 month ago
elb.createdTime: [2018-01-01 ... now-1m]
Show resources created starting 2 weeks ago, ending 1 second ago
elb.createdTime: [now-2w ... now-1s]
Show resources created on specific date
elb.createdTime: 2018-01-08
Example
Show findings with this DNS name
elb.dnsName: load-balancer-12345.elb.us-west.amazonaws.com
Example
Show resources with this instance ID
elb.instanceId: 10.90.0.119
Example
Show findings with this IP address type
elb.ipAddressType: ipv4
Example
Show load balancers on this instance port
elb.listener.instancePort: 200
Example
Show findings with this instance protocol
elb.listener.instanceProtocol: HTTPS
Example
Show findings on this load balancer port
elb.listener.loadBalancerPort: 200
Example
Show findings running on this listener protocol
elb.listener.protocol: HTTP
Example
Show findings with this scheme
elb.scheme: internet-facing
Example
Show findings with this security group ID
elb.securityGroupId: sg-1a2b3c4d
Example
Show findings with this load balancer state
elb.state: active
Example
Show findings with this load balancer type
elb.type: classic
Example
Show findings with this VPC ID
elb.vpcId: vpc-1e37cd76
Example
Show findings in this subnet
elb.subnet: subnet-cc96efa8
These tokens are available in queries with resource.type:Network ACL
Example
Show findings with this ID
networkacl.association.subnetId: subnet-6f2cec07
Example
Show findings with this IPv4 CIDR block
networkacl.cidrBlock: 172.31.0.0/16
Examples
Show findings with the default network ACL
networkacl.defaultAcl: true
Show findings not defined with default network ACL
networkacl.defaultAcl: false
Examples
Show findings where the network ACL does apply to egress traffic
networkacl.egress: true
Show findings where it does not apply to egress traffic
networkacl.egress: false
Example
Show findings with this IPv6 CIDR block
networkacl.ipv6CidrBlock: 2001:db8::/32
Example
Show findings with rules with port range starting at 1024
networkacl.portRange.from: 1024
Example
Show findings with rules with port range ending at 65535
networkacl.portRange.to: 65535
Example
Show findings with rules for protocol tcp
networkacl.protocol: tcp
Example
Show findings with rules that allow matching traffic
networkacl.ruleAction: allow
Example
Show findings with rule number 130
networkacl.ruleNumber: 130
Example
Show findings with this VPC ID
networkacl.vpcId: vpc-1e37cd76
Example
Show findings with this association ID
networkacl.association.id: aclassoc-3999875b
Example
Show findings with this ID
networkacl.association.networkAclId: acl-211bf848
These tokens are available in queries with resource.type:Route Table
Examples
Show findings for the main route table
routetable.main: true
Show findings that are not the main route table
routetable.main: false
Example
Show findings with this IPv4 CIDR range
routetable.route.destinationCidrBlock: 10.0.0.0/16
Example
Show findings with this route state
routetable.route.state: active
Example
Show findings with this ID
routetable.subnetId: subnet-6f2cec07
Example
Show findings with this VPC ID
routetable.vpcId: vpc-1e37cd76
Example
Show findings with this ID
routetable.association.id: rtbassoc-781d0d1a
Example
Show findings for this ID
routetable.association.routeTableId: rtb-ffbe1297
Example
Show findings with this IPv6 CIDR range
routetable.route.destinationIpv6CidrBlock: 2001:db8::/32
Example
Show findings with this prefix list ID
routetable.route.destinationPrefix: pl-63a5400a
Example
Show findings with this ID
routetable.route.egressInternetGatewayId: pl-eigw-1234567890
Example
Show findings with this virtual private gateway ID
routetable.route.gatewayId: igw-12345678
Example
Show findings with this ID
routetable.route.instanceId: rtb-f8805e91
Example
Show findings with this AWS account ID
routetable.route.instanceOwnerId: aws-acct-id
Example
Show findings with this ID
routetable.route.natGatewayId: local
Example
Show findings with this ID
routetable.route.networkInterfaceId: eni-12345
Example
Show findings with this ID
routetable.route.vpcPeeringId: pcx-00197469
These tokens are available in queries with resource.type:S3 Bucket
Examples
show S3 buckets created within certain dates
s3.creationDate: [2018-01-01 ... 2018-03-01]
Show S3 bucketscreated from starting 2018-01-01, ending 1 month ago
s3.creationDate: [2018-01-01 ... now-1m]
Show S3 bucketscreated starting 2 weeks ago, ending 1 second ago
s3.creationDate: [now-2w ... now-1s]
Show S3 buckets created on specific date
s3.creationDate: 2018-01-08
Examples
Show s3 buckets that are publicly accessible
s3.isPubliclyAccessible: true
Show s3 buckets that are not publicly accessible
s3.isPubliclyAccessible: false
Example
Show findings with this owner ID
s3.ownerId: a3a33997d333416174cb4c27fa89364a2f31b12498ffc
Examples
Show any findings with this name
s3.ownerName: Andrew Smith
Show any findings that contain parts of name
s3.ownerName: "Andrew Smith"
These tokens are available in queries with resource.type:Security Group
Examples
Show any findings with this description
securitygroup.description: Allow RDP to Windows Machines
Show any findings that contain parts of description
securitygroup.description: "Allow RDP to Windows Machines"
Example
Show findings with this from port
securitygroup.inboundRule.fromPort: 200
Example
Show findings with the tcp protocol
securitygroup.inboundRule.ipProtocol: tcp
Example
Show findings with this range
securitygroup.inboundRule.ipv4Range: 203.0.113.0/24
Example
Show findings with this range
securitygroup.inboundRule.ipv6Range: 2001:db8::/32
Example
Show findings with this group ID
securitygroup.inboundRule.toPort: 200
Example
Show findings with this group name
securitygroup.name: Windows RDP Allow Group
Example
Show findings with this from port
securitygroup.outboundRule.fromPort: 200
Example
Show findings with the tcp protocol
securitygroup.outboundRule.ipProtocol: tcp
Example
Show findings with this range
securitygroup.outboundRule.ipv4Range: 203.0.113.0/24
Example
Show findings with this range
securitygroup.outboundRule.ipv6Range: 2001:db8::/32
Example
Show findings with this to port
securitygroup.outboundRule.toPort: 151
Example
Show findings with this VPC ID
securitygroup.vpcId: vpc-1e37cd76
Example
Show findings with QID 90405
association.instances.vulnerability.qid:90405
Example
Show findings with severity 4
association.instances.vulnerability.severity:4
Example
Show findings with severity 3
association.instances.vulnerability.customerSeverity:3
Examples
Show any findings related to this description
association.instances.vulnerability.exploitability: GIF Parser Heap
Show any findings that contain "GIF", "Parser" or "Heap" in description
association.instances.vulnerability.exploitability: "GIF Parser Heap"
Show any findings that match exact value
association.instances.vulnerability.exploitability: `GIF Parser Heap`
Examples
Show findings with patch available
association.instances.vulnerability.patchAvailable: "true"
Show findings with no patch available
association.instances.vulnerability.patchAvailable: "false"
Examples
Show findings first found within certain dates
association.instances.vulnerability.firstFound: [2015-10-21 ... 2015-10-30]
Show findings first found starting 2015-10-01, ending 1 month ago
association.instances.vulnerability.firstFound: [2015-10-01 ... now-1M]
Show findings first found starting 2 weeks ago, ending 1 second ago
association.instances.vulnerability.firstFound: [now-2w ... now-1s]
Show findings first found on certain date
association.instances.vulnerability.firstFound:'2015-11-11'
Examples
Show findings last found within certain dates
association.instances.vulnerability.lastFound: [2015-10-21 ... 2016-01-15]
Show findings last found starting 2016-01-01, ending 1 month ago
association.instances.vulnerability.lastFound: [2016-01-01 ... now-1M]
Show findings last found starting 2 weeks ago, ending 1 second ago
association.instances.vulnerability.lastFound: [now-2w ... now-1s]
Show findings last found on certain date
association.instances.vulnerability.lastFound:'2016-01-11'
Show findings last found on 2017-01-12 with patch available
vulnerabilities: (lastFound: '2017-01-12' AND association.instances.vulnerability.patchAvailable: "true")
Examples
Show any findings related to this title
association.instances.vulnerability.title: Remote Code Execution
Show any findings that contain "Remote" or "Code" in title
association.instances.vulnerability.title: "Remote Code"
Show any findings that match exact value
association.instances.vulnerability.title: `Remote Code`
Examples
Show any findings related to description
association.instances.vulnerability.description: remote code execution
Show any findings that contain "remote" or "code" in description
association.instances.vulnerability.description: "remote code execution"
Show any findings that match exact value
association.instances.vulnerability.description: `remote code execution`
Example
Show findings with CVE name CVE-2015-0313
association.instances.vulnerability.cveIds: CVE-2015-0313
Example
Show findings with the category CGI
association.instances.vulnerability.category: "CGI"
Example
Show resources with this score
association.instances.vulnerability.cvssInfo.baseScore: 7.8
Example
Show resources with this score
association.instances.vulnerability.cvssInfo.temporalScore: 6.4
Example
Show findings with this name
association.instances.vulnerability.cvssInfo.accessVector: "NETWORK"
Examples
Find security group related to name
instance.securityGroup.name: abc.qualys.com
Find security group that match exact value
instance.securityGroup.name: `abc.qualys.com`
Examples
Find security groups with this public IP address
association.instances.publicIpAddress: 52.70.141.154
Find security groups within this IP range
association.instances.publicIpAddress: [52.70.141.154 ... 52.70.141.164]
Example
Show vulnerability with port 80
association.instances.vulnerability.port: 80
Examples
Show findings found on TCP
association.instances.vulnerability.protocol: TCP
Show findings found on port 80 and TCP
vulnerability: (port: 80 AND protocol: TCP)
(For Threat Protection users) Use these tokens for searching Real-Time Threat Indicators (RTI).
Example
Show resources with threats due to active attacks
association.instances.vulnerability.threatIntel.activeAttacks: "true"
Example
Show resources with threats due to denial of service
association.instances.vulnerability.threatIntel.denialOfService: "true"
Example
Show resources with threats due to easy exploit
association.instances.vulnerability.threatIntel.easyExploit: "true"
Example
Show resources with threats due to exploit kit
association.instances.vulnerability.threatIntel.exploitKit: "true"
Examples
Show any findings with this name
association.instances.vulnerability.threatIntel.exploitKitName: Angler
Show any findings that match exact value
association.instances.vulnerability.threatIntel.exploitKitName: `Angler`
Example
Show resources with threats due to high data loss
association.instances.vulnerability.threatIntel.highDataLoss: "true"
Example
Show resources with threats due to high lateral movement
association.instances.vulnerability.threatIntel.highLateralMovement: "true"
Example
Show resources with threats due to malware
association.instances.vulnerability.threatIntel.malware: "true"
Examples
Show any findings with this name
association.instances.vulnerability.threatIntel.malwareName: TROJ_PDFKA.DQ
Show any findings that match exact value
association.instances.vulnerability.threatIntel.malwareName: `TROJ_PDFKA.DQ`
Example
Show resources with threats due to no patch available
association.instances.vulnerability.threatIntel.noPatch: "true"
Example
Show resources with threats due to public exploit
association.instances.vulnerability.threatIntel.publicExploit: "true"
Examples
Show any findings with this name
association.instances.vulnerability.threatIntel.publicExploitName: RealVNC NULL Authentication Mode Bypass
Show any findings that contain parts of name
association.instances.vulnerability.threatIntel.publicExploitName: "RealVNC NULL Authentication Mode Bypass"
Show any findings that match exact value
association.instances.vulnerability.threatIntel.publicExploitName: `RealVNC NULL Authentication Mode Bypass`
Example
Show resources with threats due to zero day exploit
association.instances.vulnerability.threatIntel.zeroDay: "true"
These tokens are available in queries with resource.type:Subnet
Examples
Show subnets with auto-assign IPv6 address
subnet.autoAssignIpv6Address: true
Show subnets without auto-assign IPv6 address
subnet.autoAssignIpv6Address: false
Examples
Show subnets with public IP address assigned on launch
subnet.autoAssignPublicIp: true
Show subnets without public IP address assigned on launch
subnet.autoAssignPublicIp: false
Example
Show findings in the us-east-1a availability zone
subnet.availabilityZone: us-east-1a
Example
Show findings with this available IP count
subnet.availableIpCount: 4091
Example
Show findings with this IPv4 CIDR block
subnet.cidrBlock: 172.31.0.0/16
Examples
Show subnets that are the default
subnet.defaultsubnet: true
Show subnets that are not the default
subnet.defaultSubnet: false
Example
Show findings with this IPv6 CIDR block
subnet.ipv6CidrBlock: 2001:db8::/32
Example
Show findings with this VPC ID
subnet.vpcId: vpc-1e37cd76
These tokens are available in queries with resource.type:VPC
Example
Show findings with this IPv4 CIDR block
vpc.cidrBlock: 172.31.0.0/16
Examples
Show VPCs that are the default
vpc.defaultVpc: true
Show VPCs that are not the default
vpc.defaultVpc: false
Examples
Show any findings with this tenancy
vpc.instanceTenancy: default
Show findings that contain parts of tenancy
vpc.instanceTenancy: "default"
Example
Show findings with this IPv6 CIDR block
vpc.ipv6CidrBlock: 2001:db8::/32
These tokens are available in queries with resource.type:RDS
Example
Show RDS resources with this DB instance name
rds.dbInstanceIdentifier: RDSdatabasename
Examples
Show RDS resources that use this port as endpoint
rds.endpoint.port: 5432
Examples
Show RDS resources with this engine name
rds.engine: mysql
Example
Show RDS resources with this size
rds.instanceClass: db.t2.micro
Examples
Show RDS resources that are the accessible
rds.publiclyAccessible: true
Show RDS resources that are not publicly accessible
rds.publiclyAccessible: false
Examples
Show RDS resources with this security group Id.
rds.securityGroup.id: sg-3abe5246
Example
Show RDS resources that are available
rds.status: available
Example
Show RDS resources with this VPC Id
rds.subnetGroup.dbSubnetVpcId: vpc-1e37cd7e
These tokens are available in queries with resource.type:EBS Volume
Examples
Show EBS volume resources that are encrypted.
ebsvolume.encrypted: true
Examples
Show resources with this instance ID
ebsvolume.instance: i-045d8dd17d8a2a96f
Example
Show running EBS volume instances
ebsvolume.state: in-use
Example
Show resources with this volumeId
ebsvolume.volumeId: vol-0ac36138436791ca5
Example
Show resources which allow to sample and trace incoming requests with AWS X-Ray. Use Active to achieve this.
lambda.tracingConfig: Active
Example
Show resources with this volumeId
lambda.timeout: vol-0ac36138436791ca5
Example
Show resources with role name as sample_role_lambda
lambda.role: sample_role_lambda
Example
Show resources that are written in Python 2.7
lambda.runtime: python2.7
Example
Show resources with exact name match as sample_lambda_function
lambda.functionName: sample_lambda_function
Example
Show resources with 128 MB memory allocated for execution
lambda.memorySize: 128
Example
Show resources that are triggered on specified ARN
lambda.trigger.arn: arn:aws:iam::383031258652:user/LOCAL_1234
Example
Show resources that triggered on s3 type
lambda.trigger.type: s3
Example
Show resources with this name assigned to the layer
lambda.layer.name: Sample_layer_name
Example
Show resources with this VPCID
lambda.vpcId: vpc-4bd3013
Example
Show resources with key Department
tag.key: Department
Example
Show resources with tag value Finance
tag.value: Finance